A critical vulnerability recently patched in the Elementor plugin for WordPress allowed authenticated users to upload arbitrary files to vulnerable sites, which could eventually lead to arbitrary code execution. Even worse, researchers believe that even unauthenticated users can exploit the vulnerability, although this exploitation scenario has not yet been officially confirmed.
Although authentication is required to exploit the vulnerability, the bug was still classified as critical, since anyone who accessed the vulnerable site, including ordinary subscribers, can use it. To fix the RCE issue that posed a threat to 500,000 websites, the developers of the Elementor Website Builder plugin have already released version 3.6.3.
A problem in the popular plugin was discovered by WordPress Plugin Vulnerabilities experts. According to them, the root of the bug lay in the absence of a critical access check to one of the plugin’s files, module.php, which is loaded on every request during admin_init actions, even for unregistered users. Since one of the functions run by admin_init allows you to upload files through a plugin form, an attacker can put a malicious file there for remote code execution.
According to the researchers, the problem appeared in the Elementor 3.6.0 code released on March 22. Official WordPress statistics say that approximately 30.7% of Elementor users have upgraded to version 3.6.x, which means that the maximum number of potentially vulnerable sites is approximately 1,500,000.
The plugin has been downloaded a little over a million times in recent days, and assuming all of those installations are using version 3.6.3, there are still about 500,000 sites still vulnerable. It is worth noting that the Plugin Vulnerabilities team included a PoC exploit for a fresh vulnerability in their report, which further increases the risk of hacking vulnerable sites.